Thank you for your reply.
First, I tried querying the destination IP: 40.104.21.66, but found no log records. In my production environment, it appears that no internal user is initiating connections to this Microsoft IP.
However, in reality, connecting to Outlook will trigger this log entry.
When I queried the source IP: 40.104.21.66, there were log entries—just like the image I previously provided.
The rule name shows: CPNotEnoughDataForRuleMatch, and there are no other logs related to this IP.
I’ve also reviewed SK113479 and looked into similar cases reported by other users in the forums where this rule was triggered.
However, I haven’t seen anyone experiencing the same situation as in my production environment — specifically, an external IP initiating a connection to the firewall’s external interface over port 443.
Based on what I’ve seen from other users and my own lab testing, this CPNotEnoughDataForRuleMatch rule more commonly appears when an internal user connects to a public IP over port 443, and there are usually related logs as well. But in my production environment, the situation appears to be the opposite.
The following image is from my lab environment, and the situation is very similar to what other users have reported in the forums.



Thank you.